Skip to content
Kordu Tools Kordu Tools
Developer Tools Runs in browser Updated 18 Apr 2026

chmod Calculator

Calculate Linux and Unix file permissions. Toggle read, write, and execute for owner, group, and others — get octal, symbolic, and chmod command.

Common presets

EntityReadWriteExecuteOctalSymbolic
Owner6rw-
Group4r--
Others4r--
Octal permission644
Symbolic notation-rw-r--r--
chmod 644 filename
Loading rating…

How to use chmod Calculator

  1. Pick a preset or toggle bits manually

    Click a quick preset (755, 644, 700, 600, 444, or 777) to load common values instantly, or check and uncheck read, write, and execute for each class — owner, group, and others — to build a custom permission set.

  2. Read the octal and symbolic values

    The calculator displays both the three-digit octal value (e.g. 755) and the symbolic string (e.g. rwxr-xr-x) as you toggle. Each row also shows the individual digit so you can see how the bits add up (r=4, w=2, x=1).

  3. Copy the chmod command

    The full `chmod` command appears at the bottom. Click Copy to place it on your clipboard.

  4. Replace the placeholder path

    Swap the default `filename` for the real file or directory path you want to modify, using an absolute path or a path relative to your current working directory.

  5. Run the command in your terminal

    Paste into a Linux, macOS, or WSL shell. You'll need write access to the file's parent directory — prefix with `sudo` for files you don't own.

  6. Verify with ls -l

    Run `ls -l <path>` (or `ls -ld` for a directory) to confirm the permission string matches what you expected. The first character is the file type; the next nine are user, group, and others in that order.

  7. Apply recursively when you need to

    For directory trees, split files and directories instead of blanket `-R`: `find <path> -type d -exec chmod 755 {} \;` and `find <path> -type f -exec chmod 644 {} \;`. This avoids granting execute to every file or removing execute from every directory.

chmod Calculator FAQ

What do the three octal digits mean?
Each digit is a permission class: owner (user), group, and others, in that order. Inside each digit, read = 4, write = 2, execute = 1, added together. `chmod 755` means owner rwx (4+2+1=7), group r-x (4+0+1=5), and others r-x (4+0+1=5). `chmod 640` means owner rw- (6), group r-- (4), and others --- (0).

When should I use chmod 755?
Use 755 (rwxr-xr-x) for directories that should be traversable by everyone and for executable scripts or binaries that everyone should be able to run. It's the standard for web server document roots and CLI tools — owner has full control, everyone else can read and traverse but not modify.

When should I use chmod 644?
Use 644 (rw-r--r--) for regular files that aren't scripts — HTML, CSS, images, config files, documents. Owner can read and write; group and others can only read. Files don't need execute unless they're programs, and leaving execute off makes ownership mistakes less dangerous.

Is chmod 777 safe?
Almost never. 777 (rwxrwxrwx) lets any account on the system read, modify, or execute the file. On shared hosting and production servers that's a clear security issue, and it usually masks a different problem — wrong owner, wrong group, or a missing `x` on a parent directory. Fix ownership or apply a tighter permission instead.

Why does SSH require chmod 600 on my private key?
OpenSSH refuses to use a private key that is readable by anyone except the owner — otherwise another user on the box could copy it and impersonate you. Run `chmod 600 ~/.ssh/id_rsa` on the key and `chmod 700 ~/.ssh` on the directory. `authorized_keys` should also be 600.

What's the difference between octal (755) and symbolic (rwxr-xr-x) notation?
They're the same permissions in two formats. Octal compresses each class into one digit (user, group, others); symbolic spells every bit out. Octal is faster when you know the exact target; symbolic is clearer when reading `ls -l` output. chmod itself accepts a third form — operator syntax like `u+x` or `go-w` — for adjusting individual bits without recalculating.

What are setuid, setgid, and the sticky bit?
They're a fourth octal digit prepended to the usual three. setuid (4000, `u+s`) makes an executable run as the file's owner, which is how `passwd` edits `/etc/shadow`. setgid (2000, `g+s`) on a directory forces new files inside to inherit the directory's group — useful for shared folders. The sticky bit (1000, `+t`) on a directory only lets a file's owner delete it, which is why `/tmp` is `chmod 1777`.

How does umask affect new files?
The kernel starts from a maximum (666 for files, 777 for directories) and subtracts the umask when a file is created. A umask of `022` produces 644 files and 755 directories (the default on most systems). A umask of `002` produces 664 and 775 for shared-group setups. umask only controls defaults — chmod afterwards still applies exactly what you pass it.

How do I apply different permissions to files and directories recursively?
Split by type with `find`: `find <path> -type d -exec chmod 755 {} \;` for directories and `find <path> -type f -exec chmod 644 {} \;` for files. Using `chmod -R 755` alone grants execute to every file, and `chmod -R 644` strips execute from every directory, breaking traversal. The split handles both correctly in one pass each.

What does execute permission mean on a directory?
Execute on a directory is the right to traverse it — to `cd` into it and to open files inside by name. Without execute you can't access anything inside, even if you can list the directory (with read). Read without execute lets you see filenames but not open them; execute without read lets you open a known path but not `ls` the directory.

Why didn't my permissions persist after a git clone or checkout?
Git only tracks the executable bit — either 755 or 644. Finer permissions (700, 600, 640) are not stored in the repository and must be re-applied after clone, usually by a deploy script, a post-checkout hook, or a tool like `chmod-scripts.sh`. For secrets, avoid checking them in at all and generate the file at deploy time with the correct mode.

Can I use chmod for Docker volume mounts?
Yes, but with a caveat: the numeric UID inside the container must match the file's owner on the host for chmod and ownership to behave as expected. Bind mounts preserve the host's permissions; named volumes start owned by root unless you set a user in your Dockerfile or `docker run --user`. Most Dockerfiles create a non-root user with a fixed UID (e.g. 1000) and `chown` the app directory to that user during build.

Does chmod work on Windows?
Native Windows uses NTFS ACLs managed via `icacls`, which don't map cleanly to POSIX bits. Inside WSL (Windows Subsystem for Linux) chmod does run, but the mapping to NTFS depends on mount options — files on a Windows drive mounted into WSL sometimes report 777 regardless of the underlying ACLs. For anything security-sensitive in WSL, keep the files on the Linux filesystem (e.g. `~`) rather than `/mnt/c`.

What is an ACL? Does chmod override it?
POSIX ACLs (`setfacl`, `getfacl`) extend the owner/group/others model with per-user and per-group grants on the same file — useful when two specific accounts need different access. chmod interacts with ACLs but doesn't remove them; a chmod can tighten the group ACL mask and effectively reduce access granted by ACL entries. SELinux and AppArmor sit on top as mandatory policies — a process blocked by SELinux fails even with chmod 777.

Is any data sent anywhere?
No. Every calculation runs entirely in your browser. The tool is pure client-side JavaScript with no backend — nothing you toggle or view is uploaded, logged, or stored.

Background

The Kordu chmod Calculator turns Linux and Unix file permission settings into an octal value, a symbolic string, and a ready-to-run chmod command. Toggle read (r), write (w), and execute (x) for the three permission classes — owner (user), group, and others — and instantly see the result in every format you need. Quick presets cover the permission values you use daily: 755 for web directories and scripts, 644 for regular files, 700 for private directories, 600 for SSH keys, 444 for read-only archives, and 777 when you absolutely need wide-open access in a sandbox.

The POSIX permission model

Every file and directory on a Linux, macOS, or other Unix-like system carries nine permission bits — three classes (user, group, others) multiplied by three actions (read, write, execute). These nine bits compress cleanly into three octal digits because each digit encodes exactly three bits. The order is always the same: user first, group second, others third. chmod 750 grants the owner full access (7 = rwx), the group read + execute (5 = r-x), and everyone else nothing (0 = ---).

Bit values are additive

  • read (r) = 4 — list a directory's contents, open a file
  • write (w) = 2 — create, rename, or delete entries in a directory, modify a file
  • execute (x) = 1 — enter a directory (cd into it) or run a file as a program

Sum the values to build each digit. rwx is 4+2+1 = 7. r-x is 4+0+1 = 5. rw- is 4+2+0 = 6. Once the pattern clicks, reading chmod 640 as "owner rw, group r, others nothing" becomes second nature.

Common recipes you'll reach for

  • 755 (rwxr-xr-x) — web server directories, CLI scripts, anything the world should read and execute but not modify.
  • 644 (rw-r--r--) — regular web files (HTML, CSS, images), config files, most plain-text files. Execute isn't needed unless the file is a script.
  • 700 (rwx------) — private directories only the owner may enter.
  • 600 (rw-------) — private keys, tokens, .env files, ~/.ssh/id_rsa. OpenSSH refuses to use a key that is group- or world-readable.
  • 444 (r--r--r--) — immutable read-only archives or reference files.
  • 777 (rwxrwxrwx) — full access for everyone. Almost always the wrong answer in production; it's the permission equivalent of "I don't know what the problem is, so I'm going to solve it with a sledgehammer."

Symbolic notation and symbolic chmod

The string rwxr-xr-x is the same permissions as octal 755, written out bit-by-bit. You'll see it everywhere ls -l runs. chmod also accepts symbolic operands directly: chmod u+x script.sh adds execute for the owner, chmod go-w file removes write for group and others, chmod a=r file sets everyone to read-only. The operator classes are u (user/owner), g (group), o (others), and a (all). Operators are + (add), - (remove), and = (set exactly). Symbolic mode is ideal when you want to flip one bit without recalculating the whole value; octal is faster when you know the exact target.

Execute on directories vs. files

For files, execute means "run this as a program." For directories, it means "traverse" — you can cd into the directory and access entries by name. Crucially, you can have read without execute on a directory (you can ls it but cannot cd into it or open files inside), or execute without read (you can open a specific file by path but cannot list the directory). Most workflows want both, which is why 755 and 750 are so common.

Special bits — setuid, setgid, sticky

A fourth octal digit, prepended, encodes three special modes. setuid on an executable (chmod u+s or a leading 4) runs it as the file's owner regardless of who launched it — this is how /usr/bin/passwd edits /etc/shadow. setgid on a directory (chmod g+s or leading 2) forces new files inside to inherit the directory's group, handy for shared team folders. The sticky bit (chmod +t or leading 1) on a directory restricts deletion so only the file's owner (or root) may remove entries — this is why /tmp is chmod 1777.

Recursive changes — split files and directories

chmod -R 755 ./site applies 755 to every entry, files included — which grants execute to every file even when it isn't needed. The canonical fix is to split by type: find . -type d -exec chmod 755 {} \; for directories and find . -type f -exec chmod 644 {} \; for files. You get the right execute bit on directories without flipping it on every stylesheet.

umask — the mask for newly created files

When a process creates a file, the kernel starts from 666 (files) or 777 (directories) and subtracts the umask. A umask of 022 yields 644 for files and 755 for directories — the default on most distributions. A umask of 002 (common in shared-group setups) yields 664 and 775. Set it in ~/.bashrc, ~/.zshrc, or /etc/profile to control defaults for a shell session. umask does not affect chmod itself; it only changes what new files start out as.

SSH key requirements

OpenSSH is strict: ~/.ssh should be 700, private keys 600, and authorized_keys 600. Looser permissions cause Permissions are too open errors and a refused connection. chmod 700 ~/.ssh && chmod 600 ~/.ssh/id_rsa fixes the common case after copying keys between machines.

Deploy recipes that actually work

Web servers typically run as www-data, nginx, or apache. Set ownership with chown -R www-data:www-data /var/www/site, then apply 755 to directories and 644 to files using the find split above. Lock down secrets: chmod 600 .env. Grant the web user write only where uploads land: chmod 775 on upload dirs with a group the web user belongs to.

ACLs, SELinux, and when chmod isn't enough

POSIX ACLs (setfacl, getfacl) extend the model with per-user and per-group grants beyond the three-class scheme — useful when two specific users need different access to the same file. SELinux and AppArmor sit above chmod as mandatory access control policies; a process denied by SELinux will fail even with chmod 777. On Windows, NTFS uses ACLs via icacls, and WSL surfaces a best-effort mapping that can produce surprising permission drift — if a file looks like 777 on Windows but 644 in WSL, the mount options are the culprit.

Common mistakes

  • Using chmod 777 as a "fix." It masks the real permission mismatch and opens a security hole.
  • Forgetting -R on a tree, or using -R and ruining directory traversal or file execute bits. Split by -type instead.
  • Expecting git to preserve arbitrary permissions. Git only tracks the executable bit (mode 755 vs 644). Permissions must be re-applied after clone — usually via a deploy script.
  • Making .env or a private key world-readable. Set them to 600 at creation time, not as an afterthought.

Privacy

Every calculation happens in your browser. Nothing is uploaded, logged, or transmitted. The tool is pure client-side JavaScript — it works offline once the page has loaded and has no signup, rate limits, or backend.

Related tools

.gitignore Generator

Generate .gitignore files for Node.js, Python, Go, Rust, React, Next.js, Vite, Laravel, Django, Docker, Terraform, VS Code, macOS and more.

Cron Expression Generator

Build cron expressions visually or decode any cron string into plain English with next run previews.

Cron Expression Explainer

Paste any cron expression and get a plain English explanation, per-field breakdown, and a preview of the next scheduled run times.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files instantly in your browser.

UUID Generator

Generate cryptographically secure v4 and v7 UUIDs in bulk — copy individually or all at once, instantly in your browser.

SSL Certificate Decoder

Paste any PEM-encoded SSL/TLS certificate and instantly decode all X.509 fields: subject, issuer, validity, SANs, key usage, fingerprints, and more.

HTTP Status Code Reference

Complete HTTP status code reference with descriptions, causes, and examples — searchable and filterable by category.

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.